The following scenario describes an example in which Active Server Pages (ASP) applications may experience issues that are related to this non-support of Kerberos authentication.
ASP applications experience MAPI_E_LOGON_FAILED errors when the following conditions are true:
- The ASP applications use integrated authentication.
- Collaboration Data Objects (CDO 1.21) is used to log on to a mailbox on a remote Exchange server.
This is a double-hop scenario in which credentials that are gathered by the server that is running Internet Information Services (IIS) would be passed to the Exchange server if Kerberos authentication were available. Because the Exchange store provider does not support Kerberos authentication, credentials cannot be passed in a double-hop scenario.
When you run the same ASP Web application in Internet Explorer directly on the server that is running IIS, this error does not occur. In this case, Kerberos authentication is not needed.
To work around this issue, use one of the following methods.
Use Basic authentication with SSL
Basic authentication generates an interactive token which can be passed to different servers. The drawback with Basic authentication is that users are prompted for a user name and password. Additionally, the user name and password are sent to the server in clear text. Therefore, if you use Basic authentication, make sure that you use Secure Sockets Layer (SSL) for the Web application.
Use WebDAV
WebDAV uses HTTP requests and responses together with XML to query, to create, and to modify Exchange data. Because you are using HTTP requests, IIS handles authentication.
Host the Web application on the Exchange server
Kerberos is used to pass credentials between servers. Therefore, if the Web application and Exchange are on the same server, you do not have to use Kerberos. In this case, the Web application will not experience the issue that is described in this article.